M365 Incident Response - Newsletter #1

Adam's breach of the school's Office 365 system highlights a critical oversight in cyber security. His journey started during his tenure as an IT apprentice, when he noticed a uniform admin password across all computers. This observation, though seemingly innocuous, laid the foundation for his subsequent actions.

Years after leaving the school, Adam's intrigue about the network's security remained. Testing his old assumption about the admin password, he found it surprisingly unchanged, granting him full access to the school's Office 365 admin portal. This access enabled him to manipulate network settings and user accounts. He used this access to change passwords for accounts with super administrator rights, granting him extensive control over the Office 365 environment. Adam then looked through eDiscovery on Office 365 to ensure no alerts were triggered by his actions. His subsequent actions included accessing the VPN of the school's network, escalating his privileges, and eventually gaining control over significant parts of the school's IT infrastructure. This progression of access and control illustrates the concept of lateral movement within a network. 

This incident reinforces the necessity of robust cyber security protocols, particularly the importance of regular password updates and vigilant network activity monitoring to prevent unauthorised access. Emphasising Multi-Factor Authentication (MFA) as a primary defense strategy, it is crucial for Office 365 users to enable MFA, adding a critical security layer beyond mere usernames and passwords. MFA, implemented through security defaults or Conditional Access policies, significantly increases security, ensuring a tailored approach to user and device authentication.

Disabling outdated authentication protocols is also essential. Legacy protocols like POP3, IMAP, and SMTP, lacking modern security features such as MFA, increase vulnerability. Restricting their use through Conditional Access policies can further reduce security breaches.

Transitioning to Modern Authentication and regular review of Azure Active Directory Sign-In logs, alongside alerts for legacy protocol use, is pivotal. Additionally, enabling the Unified Audit Log in the Security and Compliance Centre is vital for monitoring O365 services, identifying suspicious activities, and ensuring compliance.

Implementing Role-Based Access Control (RBAC) to minimise excessive access rights aligns with the principle of Least Privilege. Using specific administrative roles for routine tasks, rather than Global Administrator accounts, significantly enhances security using the ‘least privilege’ method.  

Creating alerts for unusual activities, such as abnormal logins or excessive email sending, can expedite the response to malicious activities, reducing potential damage. Utilising Microsoft Secure Score also helps organisations assess and prioritise security changes within O365, offering insights into improving security and compliance postures, though not comprehensively covering all security aspects. Using Unified Audit Log, regular review of these logs, along with Azure Active Directory Sign-In logs, read this article about audit log Audit log activities | Microsoft Learn 

Focusing on specific practices, Adam's unauthorised access into the school system via Office 365 could have been prevented through better management of local admin passwords, MFA, account lifecycle, and backup strategies. 

Local Admin Passwords: The key lies in managing these effectively. Implementing the Local Administrator Password Solution (LAPS) ensures each device has a unique password, drastically reducing lateral movement risk within the network. Monitoring the creation and usage of local accounts is crucial, as their activity often indicates security threats. Implementing LAPS as part of a broader Credential Theft Mitigation strategy is advisable, including steps like using Restricted Groups and denying local accounts network access. This approach would have significantly hindered Adam's ability to move laterally within the network once he had gained initial access. Check out this YouTube video for information about setting up LAPS Boost Your Windows Security: Step-by-Step Guide to LAPS in Microsoft Intune (youtube.com)

Onboarding and Offboarding Accounts: Proper management of user accounts is essential. This includes secure onboarding processes with strong passwords and MFA, and prompt offboarding to revoke access rights of departing employees. Regular auditing of account activities aids in spotting unauthorised access attempts, a crucial step that could have impeded Adam's breach.

The 3-2-1 Backup Rule: This fundamental data protection principle involves having three copies of your data, two on different media and one offsite. In the Office 365 context, it means backups on the cloud, a physical device, and another remote location. This approach ensures multiple recovery options in case of a breach, reducing total data loss risk or extended downtime. Microsoft has updated their service level agreement, clearly stating the recommendation for customers to use a third-party backup solution for Microsoft 365 data. This external backup is essential to fill gaps in data protection policies and offers benefits like protection from hackers, encryption malware, accidental deletion, and more. It provides a safeguard for the entire Microsoft 365 tenancy, including email, files, and applications, ensuring quick and easy recovery in the event of ransomware attacks or other disasters.

Incorporating these security practices into the school's Office 365 setup would have significantly reduced Adam's attack risk and mitigated its impact. Regularly updating these measures is key to adapting to threats and maintaining a strong defence against cyberattacks.

If you want to discuss in more detail get in touch.

Mark@yorcybersec.co.uk